Sign in the cloud. Verify anywhere.
A tool and library for signing WebAssembly modules with embedded signatures that can be verified completely offline - perfect for embedded systems, edge devices, and air-gapped environments.
Unlike OCI registry signatures (Cosign) that require network access at verification time, wsc embeds signatures directly in the WASM module. This enables:
| Scenario | Cosign/OCI | wsc |
|---|---|---|
| IoT device with intermittent WiFi | Needs connectivity | Verify offline |
| Industrial controller | Requires registry access | Signature embedded |
| Edge CDN node | Registry latency | Local verification |
| Air-gapped network | Cannot verify | Works offline |
wsc is an enhanced WebAssembly signing toolkit built on the foundation of wasmsign2 by Frank Denis. While maintaining compatibility with the WebAssembly modules signatures proposal, wsc adds production-oriented features:
- Offline-First Verification: Embedded signatures survive distribution - no network required at runtime
- Keyless Signing: Full Sigstore/Fulcio/Rekor integration with OIDC authentication (GitHub Actions, Google Cloud, GitLab CI)
- Keyless Verification: Verify Sigstore signatures offline with certificate chain and SET validation
- Enhanced Rekor Verification: Checkpoint-based verification with security hardening
- Bazel Integration: Full BUILD and MODULE.bazel support for hermetic builds
- WIT Component Model: Both library (
wsc-component.wasm) and CLI (wsc-cli.wasm) builds
wsc is based on wasmsign2 by Frank Denis, a reference implementation of the WebAssembly modules signatures proposal.
We plan to add additional features to support production use cases, including:
- Enhanced Rekor verification with checkpoint-based proofs
- Bazel build system integration for hermetic builds
- WebAssembly Component Model (WIT) support
- Expanded keyless signing capabilities
- Additional security hardening and validation
MIT License - Original wasmsign2 Copyright (c) 2024 Frank Denis
Unlike typical desktop and mobile applications, WebAssembly binaries do not embed any kind of digital signatures to verify that they come from a trusted source, and haven't been tampered with.
wsc takes an existing WebAssembly module, computes a signature for its content, and stores the signature in a custom section.
The resulting binary remains a standalone, valid WebAssembly module, but signatures can be verified prior to executing it.
wsc implements the WebAssembly modules signatures proposal. The file format is documented in the WebAssembly tool conventions repository.
The proposal, and this implementation, support domain-specific features such as:
- The ability to have multiple signatures for a single module, with a compact representation
- The ability to sign a module which was already signed with different keys
- The ability to extend an existing module with additional custom sections, without invalidating existing signatures
- The ability to verify multiple subsets of a module's sections with a single signature
- The ability to turn an embedded signature into a detached one, and the other way round
wsc is a Rust crate that can be used in other applications.
It is also a CLI tool to perform common operations, whose usage is summarized below.
cargo install wsc-cligit clone https://github.com/pulseengine/wsc.git
cd wsc
cargo build --releasebazel build //src/cli:wscwsc supports keyless signing using Sigstore - sign in CI, verify anywhere:
# Sign in GitHub Actions (or any OIDC-enabled CI)
wsc sign --keyless -i module.wasm -o signed.wasmThis will:
- Authenticate via OIDC (GitHub Actions, Google Cloud, GitLab CI)
- Generate an ephemeral key pair
- Obtain a certificate from Fulcio
- Sign the module
- Upload signature to Rekor transparency log
- Embed the certificate and Rekor proof in the module
Verify a keyless-signed module - no network required:
# Basic verification (offline)
wsc verify --keyless -i signed.wasm
# With identity constraints
wsc verify --keyless -i signed.wasm \
--cert-identity "[email protected]" \
--cert-oidc-issuer "https://token.actions.githubusercontent.com"Verification performs:
- Certificate chain validation against embedded Fulcio roots
- Rekor SET (Signed Entry Timestamp) verification
- Identity and issuer validation (optional)
wsc keygen -k secret.key -K public.keywsc sign -k secret.key -i module.wasm -o signed.wasmwsc verify -K public.key -i signed.wasmwsc show -i module.wasm# Detach signature to a file
wsc detach -i signed.wasm -o unsigned.wasm -S signature.bin
# Attach signature from a file
wsc attach -i unsigned.wasm -o signed.wasm -S signature.binwsc can verify signatures for specific custom sections:
wsc verify -K public.key -i signed.wasm --split "custom_section_regex"wsc supports OpenSSH-formatted Ed25519 keys:
# Generate SSH key
ssh-keygen -t ed25519 -f key
# Sign module (use --ssh flag)
wsc sign -k key --ssh -i module.wasm -o signed.wasm
# Verify module
wsc verify -K key.pub --ssh -i signed.wasmVerify using a GitHub user's SSH public keys:
wsc verify --from-github username -i signed.wasmwsc includes comprehensive Rekor inclusion proof verification:
- ✅ SET (Signed Entry Timestamp) verification
- ✅ Checkpoint-based verification with cryptographic tree state proofs
- ✅ Security hardening: Key fingerprint validation, origin validation, cross-shard attack prevention
- ✅ Defense-in-depth: 5 layers of security validation
See docs/checkpoint_security_audit.md for details.
Full Bazel support for hermetic builds:
# BUILD.bazel
load("@rules_rust//rust:defs.bzl", "rust_binary")
rust_binary(
name = "wsc",
srcs = ["//src/cli:wsc"],
)See MODULE.bazel for dependency configuration.
Build both library and CLI as WebAssembly components:
# Build WIT component library
bazel build //src/component:wsc-component.wasm
# Build WASI CLI binary
bazel build //src/cli:wsc-cli.wasm- Checkpoint Implementation - Checkpoint-based verification details
- Security Audit - Security vulnerabilities found and fixed
- Checkpoint Format - Complete format specification
- sigstore-rs Comparison - Comparison with official Rust implementation
- Security Documentation - Comprehensive security model and operational security
- Keyless Signing - Keyless signing with Sigstore/Fulcio
- Testing Guide - Testing procedures and guidelines
wsc is under active development. Core signing/verification and Rekor validation are functional. See open issues for planned enhancements.
MIT License - see LICENSE file for details.
- Frank Denis - Original wasmsign2 implementation
- Sigstore Project - Keyless signing infrastructure
- WebAssembly Community - Signatures proposal and specification
